An expert says HMRC could become the first high-profile casualty of the recently introduced General Data Protection Regulation.
The government department has been accused by privacy watchdog Big Brother Watch of analysing and storing the voices of millions of British taxpayers without their consent.
The Information Commissioner’s Office (ICO) is currently looking into the issue.
Ron Moscona, a partner at international law firm Dorsey & Whitney, told BusinessCloud that many questions remain unanswered which will affect the decision over whether to investigate and potentially fine HMRC.
“It will be down to whether collecting the voice samples posed a significant risk to the privacy interests of individuals, whether the public interest justified collecting the data and whether the exercise was carried out in a responsible manner to adequately minimise any privacy risks,” he explained.
“It would be just as important to find out how the samples were dealt with and protected within HMRC as it is to look at the process in which they were collected.
“It is unclear yet whether this case gives rise to sufficient concerns to warrant an investigation by the ICO.”
Moscona says the situation is tricky from a legal point of view as people who contacted the HMRC telephone line were asked to provide voice samples for use as passwords, but it is not clear whether they had much choice but to give consent.
“On the face of it, there should be nothing wrong with using voice samples as passwords to access a government tax service,” said Moscona.
“However, voice samples may be considered biometric data which is one of certain categories of ‘special’ or ‘sensitive’ data subject to heightened legal protection.
“HMRC may try to argue that people gave their voice samples voluntarily, although there may be a debate whether taxpayers were given a realistic choice and therefore whether consent was given freely.
“HMRC can also argue that it did not require explicit consent, because collecting the samples was ‘necessary for reasons of substantial public interest’.
“However it would also need to demonstrate a basis in law for doing so and there could be a debate whether any law in the UK authorises the sample collection.”
An HMRC spokesperson told BusinessCloud that it takes its GDPR responsibilities extremely seriously and is “resolving the issues between implied and active consent that may exist with our VoiceID system”.
It said that customers could access its systems without using VoiceID and that there is no possibility of digital signatures being traced back to an individual outside of the system.
It added: “Our VoiceID system is very popular with customers as it gives a quick and secure route into our systems. Our customers’ data, including for VoiceID, is stored securely.”